Facebook is releasing its photo app Moments in Europe, but with some important changes in order to comply with EU privacy laws. While the U.S. version of Moments features facial recognition technology, the European version will not, in part because of Facebook’s battle with the Irish data protection commissioner over the legality of the technology. The app uses facial recognition technology to identify individuals within photos bundled from the same event. The European version will still group photos from a particular event, but users will have to manually tag their friends. One major difference allows European users to share their photos privately, in a move geared toward the more privacy-cautious EU userbase. [The Guardian]
The FBI has been building a massive biometric database for the last eight years. The Next Generation Identification System (NGIS) starts with millions of photos of criminals (and non-criminals) and builds from there. Palm prints, fingerprints, iris scans, tattoos and biographies are all part of the mix. Despite having promised to deliver a Privacy Impact Assessment of the database back in 2012, the FBI’s system went live towards the end of 2014 without one. That’s a big problem, considering the database’s blend of guilty/innocent Americans, along with its troublesome error rate. The FBI obviously hopes the false positive rate will continue to decline as tech capabilities improve, but any qualms about bogus hits have been placed on the back burner while the agency dumps every piece of data it can find into the database. The FBI has shown little motivation to address Americans’ privacy concerns by providing an updated Impact Assessment (the one it does have dates back to the program’s inception in 2008), but has wasted no time in alerting legislators about its own privacy concerns. On Thursday, the Justice Department agency plans to propose the database be exempt from several provisions of the Privacy Act — legislation that requires federal agencies to share information about the records they collect with the individual subject of those records, allowing them to verify and correct them if needed. The DOJ’s comments reflect the FBI’s desire to keep its newest tracking toy as secret as possible. It asks for a number of exceptions and justifies those with the same excuses it uses to withhold information from both courts and FOIA requesters. [Source]
UK – PwC White Paper Points to Best Privacy Practices When Using Biometric Matching for Authentication
Nok Nok Labs, a member of the FIDO (Fast IDentity Online) Alliance, published a White Paper from PwC Legal comparing key privacy implications of on-device and on-server matching of biometric data. For organisations considering biometrics as they move away from reliance on usernames and passwords, the report highlights why device-side matching of biometric data is a compelling approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of individual choice and control around such personal data. Other key findings in the White Paper include:
- Freely given, informed user consent is required before processing biometric data in almost every jurisdiction covered in the White Paper
- With centralised storage of biometric data, the potential for large-scale loss of data is significantly increased
- On-device authentication will generally avoid international cross-border biometric data transfer implications. Conversely, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted
“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, President & CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach. The on-device approach, as used by Nok Nok Labs technology, ensures optimal privacy for biometric information.” [Source] [FedScoop: PwC Study: Device-Side Biometrics Preferred Over Server-Side]
The Office of the Australian Information Commissioner is seeking feedback on a draft guide to the interaction between so-called big data and Australian privacy law. In particular, the draft examines how the Australian Privacy Principles (APPs) apply to big data. “There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation, and retention minimisation, — work in practice,” acting Australian Information Commissioner Timothy Pilgrim said. “However, the APPs [Australian Privacy Principles] are technologically neutral, and structured to reflect the entirety of the information lifecycle. This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.” “The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data,” Pilgrim said. [Source] The document is available from the OAIC’s website. The deadline for submissions on the draft is 26 July.
“It seems clear that reading privacy policies could be a full-time pursuit with untold hours of overtime,” federal privacy commissioner Daniel Therrien told a privacy conference in Toronto. “It is no longer entirely clear who is processing our data and for what purposes – creating challenges for meaningful consent.” That’s why his office has started a consultation with chief privacy officers and other executives, researchers as well as the public on whether the consent model — largely instituted by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) — should be improved or should there be more focus on accountability and ethical uses of personal information by organizations, which would place the responsibility for oversight on regulators. [Source]
CA – OPC Releases Publication Highlighting Independent Privacy Research Projects Funded by Contributions Program
The Office of the Privacy Commissioner of Canada (OPC) has released the latest edition of Real Results—a publication highlighting the innovative and socially relevant independent privacy research and knowledge translation projects funded by the OPC Contributions Program over the past few years. The new edition of Real Results features funded projects that explore a range of emerging privacy issues—police background checks, the use of genealogical information, and telematics systems in cars—as well as some innovative approaches for helping young people learn to protect their privacy. The stories feature key findings of the projects, as well as commentaries and ideas from the researchers themselves that illustrate the issues and the impact of their work. The OPC Contributions Program funds independent privacy research and related knowledge translation initiatives. These projects not only advance the collective knowledge on privacy, they provide real, tangible research results that Canadians can use to make decisions about privacy protection in their own lives. To explore all research and knowledge translation projects funded by the OPC Contributions Program, see the Contributions Program projects listed by year on our website. [Source]
The Department of Justice for the Northwest Territories has issued a consultation on reform of the Access to Information and Protection of Privacy Act. Comments will be accepted until June 15, 2016. A comprehensive review of the Act is being conducted to address identified issues related to the purposes of the Act, the scope of the Act, time limits for responding to access to information requests, mandatory and discretionary exceptions to disclosure, circumstances allowing disclosures of personal information, the powers of the IPC, and current levels of fines for offences under the Act. [NWT Government – Public Engagement on the Comprehensive Review of the Access to Information and Protection of Privacy Act]
The Liberal government is floating the idea of a ministerial veto over planned new powers for the information commissioner — a move that would give cabinet the power to block release of documents. …Currently the commissioner, an ombudsman for users of the access law, can investigate complaints and recommend that records be released. But she cannot force a government agency to do so, and must head to court to pursue the matter further. Provincial commissioners in British Columbia, Alberta, Ontario, Quebec and Prince Edward Island have the power to order the release of government information. Many openness advocates have called for the federal commissioner to have similar authority. [Source]
Quebec’s Information Commissioner has condemned Lester B. Pearson School Board (LBPSB) for sharing confidential personal information far too freely. Judge Cynthia Chassigneux ruled that LBPSB grossly violated its stakeholders’ rights by sharing their personal information with a private California database firm Blackboard Connect, where it is subject to disclosure to American authorities under the Patriot Act. [The Suburban]
What happens to data being stored in Canada and whether it can be accessed by foreign law enforcement agencies is a question Canadian courts are currently grappling with. Two decisions — one in Ontario, the other in British Columbia — have determined that information held in servers in Canada can’t be shielded for review by American investigators. But the Ontario Court of Appeal has decided to re-examine one of those cases. [Law Times]
In its recent decision R. v. Craig, 2016 BCCA 154, the B.C. Court of Appeal recognized a reasonable expectation of privacy in private instant messages shared on a social network. Even though the context was criminal law, the reasoning underlying the decision is of interest to any practitioner confronted with protection of privacy issues. This bulletin discusses this case first by presenting the facts, followed by the legal issues, the “reasonable expectation of privacy” test, and the court’s guidance for the future. “In our opinion, this decision can be summed up in two words as it pertains to reasonable expectation of privacy: tradition and progress. Legal tradition, because the Court of Appeal reiterated and affirmed the doctrine of confidentiality in private communications: the sender is not supposed to know that the recipient will share the message with third parties. Technical progress, because the Court of Appeal applied this doctrine, with the necessary adaptations, to the digital universe, by explaining that private instant messages shared on a social media website are entitled to an objective expectation of privacy. Most importantly, from a much broader perspective, this principle would apply to any private technological communication.” [Fasken]
The Office of the Privacy Commissioner of Canada recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare with their privacy knowledge and protections. The informative report on the survey is the 2015 Public Opinion Research with Canadian Businesses on Privacy-Related Issues. Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or response plans for data breaches – placing them at risk for new enforcement activities and fines. [Source]
Mounties probing CSIS leak conducted unauthorized surveillance of 2 journalists Officers spent 9 days watching Ottawa-based journalists, new document reveals. Only after the surveillance of the reporters had occurred did officers ask their RCMP bosses for the required permission. They were immediately denied authorization, and told to cease the surveillance. The bombshell revelation about a national police agency spying without authorization on Canadian journalists appears in a document obtained by CBC News under the Access to Information Act. The partly censored briefing note for Public Safety Minister Ralph Goodale was written after media reports appeared last November detailing Project Standard. That was the official name of the Mountie probe into the leak of a 2003 secret document, created by the Canadian Security Intelligence Service (CSIS), to journalists working for the Montreal newspaper La Presse. [CBC] [Trudeau: ‘Unacceptable’ That Rogue Canadian Cops Spied on Two Journalists] See also: [Mulcair calls for inquiry into RCMP surveillance of journalists] [RCMP commissioner speaks out on unauthorized surveillance]
The governing Liberals are ready to examine whether Nova Scotia’s privacy law is preventing young adults from getting the support they need when they are suffering from a mental illness. The issue was front and centre at Province House on Tuesday during a visit to the legislature by Carolyn Fox. Her daughter, Cayley, 21, killed herself on Jan. 22. [Source] See also: [Nova Scotia mental health care privacy laws unlikely to change: former health czar]
A majority of Canadians believe that their personal, confidential information held by all levels of government is vulnerable to a security breach, including non-authorized internal access or an external data hack and theft, according to a new Ipsos poll conducted on behalf of Accenture. Municipal governments top the list, with 56% of Canadians describing them as vulnerable (16% very/41% somewhat) to threats when it comes to personal data for things such as property tax, water/sewage and traffic fines. A minority (44%) does not see their information as vulnerable (9% not at all/34% not very). Other levels of government don’t perform much better, as many feel the same way about their provincial government, which stores confidential data for drivers’ licenses, health cards and birth certificates: a slim majority (55%) say entities at the provincial level are vulnerable to data security breaches (20% very/35% somewhat), while nearly half (45%) say they aren’t vulnerable (13% not at all/32% not very). When sharing their personal, confidential data with the Federal government – for anything from taxes to SIN cards to passport renewals – 53% of Canadians feel their data is vulnerable to a security breach (20% very/33% somewhat), while fewer than half (47%) do not (15% not at all/32% not very). While most Canadians likely trust their doctor, many are less convinced about the security of their health records. Half (55%) feel records held at their doctor’s office or hospital are vulnerable (20% very/35% somewhat) to a security breach, while 45% do not (14% not at all/31% not very). Other institutions are not exempt from data protection concerns. Half of Canadians (52%) feel their hydro electricity provider is vulnerable to a data security breach (14% very/38% somewhat), while the other half (48%) does not feel their information held by their hydro provider is vulnerable (10% not at all/38% not very). [Source] [Press Release | Detailed Tables 1 | Detailed Tables 2
A National Telecommunications & Information Administration survey found Americans are concerned about online privacy and security and are curtailing their activities as a result. The survey revealed 19% of Internet-using households, equaling around 19 million, have been hit by a negative event, including a security breach or identity theft in the 12 months before the July 2015 survey. When asked about online concerns, 84 percent of participants named at least one online security concern, with identity theft cited as the most pressing issue, coming in at 63%. These fears are affecting online habits, the report states, as 45% of households said concerns stopped them from activities such as financial transactions, posting on social media or buying goods or services, with 30 percent saying it stopped them from performing at least two of those actions. [NTIA] [Privacy And Security Concerns Are Keeping Many Americans Offline]
A survey of 1,000 UK consumers commissioned by FireEye has revealed that last year’s high-profile data breaches have dented long term consumer trust in major brands. Findings highlighted rising public concerns over a perceived lack of board-level concern for data privacy, with almost three quarters (72%) of consumers stating that they were likely to stop purchasing from a company if a data breach was found to be linked to the boardroom failing to prioritise cyber security. A data breach linked to a lack of board-level attention was deemed less acceptable than if a data breach had occurred as a result of human error – with only 38% of consumers stating that they would be likely to stop purchasing if this was the reason. 29% of consumers said that data breaches had diminished their loyalty as current or potential customers of affected brands, and 38% said that they felt more negatively about companies that suffer data breaches, indicating that consumers are still largely viewing the organisations breached as the parties at fault, rather than victims of cyber crime. In addition to this, over a quarter of consumers (27%) indicated that persistent data breaches have negatively affected their perception of organisations that they buy from in general, indicating that persistent reports of data breaches is not just harming the reputation of affected organisations, but having a wider impact on consumer trust. The findings also reveal the potential long-term financial impact of data breaches on major brands, with 52% of consumers warning they would take legal action against companies if a data breach resulted in their personal details being stolen or used for criminal purposes. 62% of consumers also reported that they will now share fewer personal details with companies, which could hit the revenues of organisations – from social media platforms to search engines – that rely on collecting detailed consumer data for advertisers. [Source]
Australian jurisdictions are highlighting privacy and data control this month, but disquiet remains about The Australian Bureau of Statistics’ recent reversal of a longstanding policy and plan for mandatory retention of names and addresses with this year’s national census. Victoria’s privacy chief worries compulsory collection of information for purposes other than law enforcement “could set a really bad precedent”. The census collects a huge array of personal data in one place — a potential honeypot for those involved in identity crime. “One of the privacy principles is data minimisation and that’s contrary to what the census is about, so I have reservations about it,” he says. [Source] [CA— Ex-MP Dean Del Mastro says long-form census may violate right to privacy]
Microsoft has finally made its Azure Cloud services generally available in Canada post a short limited availability experiment in March. To provide Canadian businesses with the satisfaction that their data isn’t leaving the country, all users will be provided cloud services through local datacentre regions located in Toronto and Quebec City. Microsoft has also said that its Office 365 customers will also be provided data residency through the local datacentres. “With so much momentum in the cloud, we are thrilled to welcome Bell Canada as the first Canadian telecommunications partner for Azure ExpressRoute,” said Canadian MSFT CEO Janet Kennedy. [Source]
The Canadian Radio-television and Telecommunications Commission issued a Notice of Violation to Thee Future Web Ltd. for violations of the Unsolicited Telecommunications Rules. The company made calls to individuals registered on the National Do Not Call List, had not registered or subscribed to the Do Not Call List, and did not provide the appropriate information in a clear manner upon reaching the individual. [CRTC – Notice of Violation – Thee Future Web Ltd] See also: [CRTC Fines Company $30,000 For Unsolicited Telemarketing Calls: Notice of Violation – Century 21 Innovative Realty Inc.] and [CRTC Fines Company $65,000 For Unsolicited Telemarketing Calls: Notice of Violation: Right at Home Realty Inc. – PDR 9174-1603]
Despite the many benefits of moving to the cloud, South African businesses are still hesitant to make the transition. There is still much uncertainty about the move and how it will affect business. …Here are five extra reasons why adopting the cloud could work for your business. According to Vodacom Business, 32% of South African businesses are not confident that data is secure when using a cloud service. There are several reasons why wariness of transitioning to the cloud exists such as:
- Loss of control.
- Handing the performance of your business over to a 3rd
- What if the system fails?
- What position will the business be in if it isn’t able to perform?
- The fear of operations being affected.
- Security concerns. [Source]
Rob Wainwright, director of Europol, says encryption is a major problem in most of the cases the agency handles, Motherboard reports. Wainwright responded to an op-ed written by John Naughton for the Guardian on Twitter, proclaiming how encryption has been plaguing Europol cases. “Encryption dilemma must be solved soon. Real problem in 75% of all Europol cases” Wainwright tweeted. While Wainwright did not elaborate on the types of encryption troubling Europol, Claire Georges, a member from the agency’s corporate communications, said technology such as Tor and bitcoin are part of the problem. “Technology in general is used not only by cybercriminals, but also by drug dealers, child sexual offenders and other criminals involved in different illegal activities. Encryption is commonly used in secure communications and is becoming a standard protection feature in many products, such as e-wallets for virtual currencies,” Georges said. [Full Story]
Dynamic IP addresses are subject to privacy protection rules, the EU Advocate General said in a non-binding opinion. …The opinion, issued by Advocate General Manuel Campos Sánchez-Bordona, is online but has yet to be translated into English. The advocate general’s opinions are non-binding but they typically dictate how the European Court of Justice will rule. [Electronic Privacy Information Center] [CBS] [EU Advocate General Considers “Dynamic IP Addresses” as “Personal Data”: an Extension of Personal Data Scope?]
Following a year that saw investigations into direct marketing by charities and a change in the law that led to the UK Information Commissioner’s Office setting record fines for nuisance calls and texts, ICO’s recent update of its guidance on direct marketing comes at a critical time. In light of the new guidance – as well as the new EU data protection regulation and expected review of the e-privacy directive – it’s more important than ever that those involved in direct marketing understand how to apply this complex area of law. Most of the new guidance focusses on helping charities to comply with the law, but it also gives helpful clarification for businesses that do direct marketing: particularly on the issue of what constitutes consent to use data, including ‘indirect’ consent. This article highlights the changes to ICO’s guidance, and what else is on the horizon that might affect how businesses conduct direct marketing. [Source]
An F5 survey exploring the attitudes of data and security handling found half of UK respondents agree that tech firms should prioritise national security over consumer privacy. Only 26% of Brits agreed that privacy should be prioritised over security. The survey found that two-thirds of respondents were concerned about their privacy being compromised, while 72% had no confidence in social networks to protect their data from hackers effectively. But despite this, more than half were willing to share personal information for free access to a company service. People it seems are willing to share date of birth (53%), marital status (51%) and personal interests (50%) in return for a free service. But almost a third (31%) see no value in giving their personal data to companies. Nearly all consumers (88 percent) feel strongly that organisations should improve authentication for greater security. [Source]
The organization behind the right to be forgotten application site Forget.me, Reputation VIP, has released a new report which found in the two years since Google began accepting RTBF requests, the company has refused 70 to 75 percent of them. Germany and U.K. residents most frequently make RTBF entreaties, the report states. While “invasion of privacy” tops the catalyst for most applications, “Google most frequently denies removal requests that concern professional activity,” the report states. “Following that, Google often denies requests where the individual involved is the source of the content sought to be removed.” [Search Engine Land]
A new credit rating database allows Australians to look up the credit scores of other civilians by address. Dubbed Georisk, the publicly accessible system exists for companies to “keep track” of consumers’ financial history while helping predict customers’ credit worthiness. It then ranks the scores on a risk factor from one to 10. The database has frustrated privacy advocates, the report states. “I think most people are going to feel their privacy is being grossly invaded by public disclosure of this information for anyone who wants to look at it for any purpose whatsoever,” said Civil Liberties NSW’s Stephen Blanks. [Yahoo7 News]
Civil libertarians have been left outraged by a public database which shows household credit ratings. It’s information anyone can look up, all that is needed is an address. Credit rating companies keep track of past financial behaviour to predict a person’s credit worthiness. Now companies are able to access a credit risk rating that has been applied to every household in Australia. Georisk aims to measure an individual’s financial risk, by putting consumers in a range from one to ten. The ratings are publicly available to anyone who wants to search it on a computer. Not everyone was pleased to know their information was publicly visible online. However the creators have defended the website, saying they weren’t offering anything that was sensitive to the individual. To see what your home’s credit risk rating is click here. [Video: Outrage over private household information being released on public database] [Source]
Google will no longer permit “payday loan ads” on its site. The Wednesday announcement is a concession to critics who argue that the lending practices exploit “the poor and vulnerable,” the report states. They pose a privacy concern as well. “You search the Internet when you need help — and as a result you may give search engines some really sensitive information about your finances,” said Georgetown Law Center on Privacy & Technology’s Alvaro Bedoya. He called Google’s decision a “principled stance,” adding that it will set a precedent for other search engines. [Full Story]
Verizon has just published its 2016 Data Breach Investigation Report. In preparation for this publication, Verizon reviewed more than 100,000 incidents (reported by a plethora of technology companies, law firms, government agencies, and insurance companies, as well as through its own investigations), of which 3,141 were confirmed data breaches. The report yielded several interesting trends. Not surprisingly, most data breaches are about money — thieves stealing data because of its value. 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords, proving that data thieves will exploit vulnerabilities to take the easiest route. Phishing continues to trend upward. People seemingly just can’t help clicking on authentic-sounding “click here to reset your banking password” e-mails. For example, Verizon found 30% of phishing messages were opened, unfortunately an increase from 23% in 2014. 12% then proceeded to open the malicious attachment or click the link, no doubt to their peril. Overall, 95% of breaches, and 86% of incidents across all industries, predictably fell into nine identified patterns:
- miscellaneous errors (17.7%),
- insider and privilege misuse (16.3%),
- physical theft and loss (15.1%),
- denial of service (15%),
- crimeware (12.4%),
- web app attacks (8.3%),
- point-of-sale intrusions (0.8%),
- cyber-espionage (0.4%),
- and payment card skimmers (0.2%).
- the bucket “everything else” category covered 13.8%.
Interestingly, many of the data breaches reported were not caused by super-secret and sophisticated Mission Impossible-style attacks involving hacking or the wearing of black ninja gear while scaling walls. Instead, many breaches fall into what I think of as the “people are people” category — highlighting human greed/avarice and our basic capacity to make dumb mistakes. [Source]
CA – Court Rules Severance Payment Information Is Exempted from Disclosure Under New Brunswick FOI Legislation
The Court considered an appeal of the Access to Information and Privacy Commissioner’s decision recommending St. Thomas University release information requested under New Brunswick’s Right to Information and Protection of Privacy Act. The Court ruled that, contrary to the Privacy Commissioner’s recommendation, an organization does not have to disclose severance payment information to a requester; such information is neither a “benefit” (it does not bestow an advantage or betterment on a recipient) nor “discretionary” (it is made only to avoid or settle litigation). [Elizabeth Hans v. St. Thomas University – 2016 NBQB 049 – In the Court of Queen’s Bench of New Brunswick, Trial Division, Judicial District of Fredericton]
Information Commissioner Suzanne Legault says giving the government a veto over the release of files would turn her federal watchdog role into “a mirage.” Legault told a Commons committee studying reform of the Access to Information Act that she firmly opposes the idea of a ministerial trump card over proposed new order-making powers for her office. The Liberals promised the information commissioner could issue “binding orders” during last year’s election campaign. …[Now] the Liberal government is floating the notion of a veto that would give the federal cabinet power to block release of documents even if [Information Commissioner] Legault ordered disclosure. [Source]
The Intercept has announced two innovations in how they report on and publish the Snowden Archives. Both measures are designed to ensure that reporting on the archive continues in as expeditious and informative a manner as possible, in accordance with the agreements we entered into with our source about how these materials would be disclosed, a framework that he, and we, have publicly described on numerous occasions. The first measure involves the publication of large batches of documents. We are, beginning today, publishing in installments the NSA’s internal SIDtoday newsletters, which span more than a decade beginning after 9/11. We are starting with the oldest SIDtoday articles, from 2003, and working our way through the most recent in our archive, from 2012. Our first release today contains 166 documents, all from 2003, and we will periodically release batches until we have made public the entire set. The documents are available on a special section of The Intercept. Accompanying the release of these documents are summaries of the content of each, along with a story about NSA’s role in Guantánamo interrogations, a lengthy roundup of other intriguing information gleaned from these files, and a profile of SIDtoday. We encourage other journalists, researchers, and interested parties to comb through these documents, along with future published batches, to find additional material of interest. Others may well find stories, or clues that lead to stories, that we did not. (To contact us about such finds, see the instructions here.) A primary objective of these batch releases is to make that kind of exploration possible. Consistent with the requirements of our agreement with our source, our editors and reporters have carefully examined each document, redacted names of low-level functionaries and other information that could impose serious harm on innocent individuals, and given the NSA an opportunity to comment on the documents to be published (the NSA’s comments resulted in no redactions other than two names of relatively low-level employees that we agreed, consistent with our long-standing policy, to redact). Further information about how we prepared the documents for publication is available in a separate article. We believe these releases will enhance public understanding of these extremely powerful and secretive surveillance agencies. [Source]
A Wisconsin state appeals court has ruled that the Driver’s Privacy Protection Act doesn’t require law enforcement agencies looking to comply with open records laws to redact names from accident reports. DPPA in fact includes an exception for unredacted, non-Department of Motor Vehicles-supplied accident reports. The ruling came at the relief of Wisconsin officials who had “begun blacking out drivers’ names and other information that normally would be public in accident reports” for fear of DPPA violations, the report states. The court did, however, encourage a state circuit court to decide if the unredacted traffic accident information served a purpose beyond compliance, the report adds. [FierceGovernmentIT]
The National Institutes of Health awarded researchers at the Vanderbilt University School of Medicine a $4 million, four-year grant to study the privacy ramifications surrounding genomic data use. “We’re really broadening our horizons to think about how history and public opinion and literature affect the way individuals and communities think about privacy concerns,” said primary investigator Ellen Wright Clayton. “Ultimately, the goal is to develop policy recommendations that address the complexity of what’s at stake.” Johns Hopkins University, University of Utah, and University of Oklahoma also received similar grants, the report states. [EurekAlert!
The OIPC SK has provided trustees with guidance to interpret The Health Information Protection Act, including:
- guidance on when to disclose personal health information to family and friends;
- guidance on de-identified PHI;
- guidance on faxing PHI;
- recommended safeguards;
- best practices for data sharing agreements; and
- privacy breach guidelines.
The guidance includes circumstances under which PHI may be disclosed to family/friends, de-identification of PHI (including an explanatory list of techniques), considerations for data sharing agreements with providers, recommended security measures (including faxing considerations), and a 4-step privacy breach process. [OIPC SK – IPC Guide to HIPA]
Healthcare data security has become a top priority for IT professionals when it comes to investing in cloud applications in 2016, reported the survey. In the 2014 survey, only 31.3% of survey participants stated that their organization planned on investing in cloud solutions for disaster recovery purposes, which often includes healthcare data security measures. Researchers also found that respondents were implementing cloud services to develop more comprehensive incident recovery plans. When participants were asked to assess the motivation factor from 1 (least motivating) to 7 (highly motivating), healthcare data security response was evaluated at 5.11. [Source]
Nearly 90 percent of healthcare organizations were slammed by a breach in the past two years. …The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes. [Source] [Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute]
A Ponemon Institute report found nearly 90% of health care organizations suffered at least one data breach during the past two years, costing the industry $6.2 billion, InformationWeek reports. Ponemon’s “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” discovered 79% of those organizations suffered two or more breaches, with 45% saying they had been hit by more than five breaches. With most of the breaches exposing less than 500 records, the incidents are not reported to the Department of Health and Human Services. The report also discovered health care budgets for security have either dropped, or remained the same during the past year. In related news, Vormetric released a study revealing 90% of security pros in the financial sector feel vulnerable to data threats, with 44 percent already experiencing a breach. [Full Story] [The Star reports on the first person ever charged under Ontario’s new health care privacy law.]
The World Privacy Forum says privacy principles set forth for the Precision Medicine Initiative “lack detail and fail to address underlying legal requirements and protections.” In a research paper published this week, the organization notes that the HIPAA Privacy Rule will not apply to the research, and that the principles “appear to be voluntary and lack important legal and administrative details.” The current privacy principles in place for the initiative were created by the White House with help from experts working both inside and outside the government. They include categories such as transparency to participants and the public; respect for participant preferences; and appropriate data sharing, access and use. In the paper, WPF outlines its privacy concerns for the PMI and identifies issues that should be addressed. Some recommendations the authors make include:
- The structure and organization of the initiative must be detailed so privacy protections can be assessed, and participants must know who will maintain their data.
- Uses and disclosures of the data for security and law enforcement purposes should be clarified.
- There is “immediate need” for a Privacy Impact Assessment, which then should be open for public comment.
- Privacy rules should be described as covering health records, administrative records and monitoring from health devices and mHealth tools. [Source]
LinkedIn has confirmed a significant breach from 2012 was worse than first thought, with the number of leaked usernames and passwords rising from 6.5 million to a purported 117 million. Earlier this week, fresh LinkedIn credentials went on sale on a dark web market known as The Real Deal. 117 million LinkedIn usernames and passwords will cost 5 Bitcoins, worth approximately $2,200. LinkedIn is in the process of resetting user passwords for every member who joined before 2012 who had not changed their password since the previously-reported breach. It confirmed the action in a blog post, in which it added: “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.” [Forbes]
Organizations that suffer data breaches may now be able to offer free fraud protection to their customers through a new program announced this week. Austin, Texas-based data security and analytics company XOR Data Exchange has launched a new platform, the Compromised Identity Exchange, which “aims to protect U.S. consumers, businesses and government entities from data breach-related identity theft and fraud.” Participation in the exchange is free to organizations that have suffered a data breach of personally identifiable information in order to drive widespread protection for breach victims. According to the firm, The Compromised Identity Exchange synthesizes breached records with ongoing fraud analysis to offer banks, financial lenders and other service providers “unprecedented insight into which of their accounts and applications carry a higher risk of fraud related to one or more data breaches.” It does this without the need for ongoing data sharing from breached entities, the firm stressed. [Source]
Following Edward Snowden’s revelations about surveillance, officials have downplayed its programs as being concerned not with the actual content of email or phone calls, but “just” with collecting metadata, as if metadata didn’t reveal just about as much about us as does the content itself. Metadata, when it comes to phone communications, includes who we call or text, who they contact (that’s called a “hop”), when we call or text, and the duration of each call or length of each message. Since the surveillance revelations, there have been various studies about how much can be gleaned about us from metadata. The answer: a lot. Now, researchers at Stanford University in the US have done another study, and their findings confirm that basic, supposedly anonymous phone logs can be used to glean people’s names, where they live, their partners’ names, and intimate personal details. A sample of the researchers’ vignettes show the type of things they managed to infer:
- Somebody’s planning to grow weed. Within less than 3 weeks, the subject made calls to a hardware outlet, locksmiths, a hydroponics store, and a head shop.
- Somebody’s got heart problems. The evidence included a long call from the cardiology group at a regional medical center, brief calls with a medical laboratory, several short calls from a local drugstore, and brief calls to a self-reporting hotline for a cardiac arrhythmia monitoring device.
- Somebody’s pregnant. Early one morning, the subject was on the phone with her sister for a long time. Two days later, she called a nearby Planned Parenthood clinic several times. Two weeks later, she placed more brief calls to Planned Parenthood, and she placed another short call a month after.
The study involved 823 participants who volunteered to have their metadata collected via an Android app on their phones. The researchers also required participants to have a Facebook account, so as to verify that they were over the age of 18, as well as to verify the accuracy of their results. [Naked Security] [TechCrunch][“Evaluating the privacy properties of telephone metadata“]
Americans Collecting Disability and Unemployment are at Risk of Identity Theft. Members of the FTC and consumer groups criticized the Employment Development Department’s (EDD) practice of using the numbers as identifiers on mailed documents and state lawmakers from both sides of the aisle demanded the EDD make changes. The coverage ultimately shamed the EDD into doing what it had long insisted was impossible. Three months after our first report, the agency began redacting social security numbers on the most commonly mailed documents. However, now we’ve discovered the EDD is still printing the number on many other mailed documents, including those sent to claimants collecting disability. The EDD is not alone in mailing sensitive information. ConsumerWatch reached out to every state in the nation and only 8 of the 42 states that responded say they redact Social Security numbers on all mailed documents. Like California, 17 admit they still mail the full number on documents to both claimants and employers. Another 17 states say they only print the full SSN on documents mailed to employers. However, that is just as concerning for many who don’t trust that their former employers will take the same care that they would to properly dispose of the documents. [Source]
Ann Cavoukian, former Ontario, Canada information and privacy commissioner, will form a new international council to advocate and set standards for privacy by design. The International Council on Global Privacy and Security: By Design will work with companies, national privacy commissioners and technology professionals to educate the public and raise awareness for privacy by design. Cavoukian set out three goals for the council:
- educate politicians, businesses, government, media and the public that systems can and must be engineered to protect both privacy and security;
- create policy templates that can show how privacy can be applied to technologies in the digital age; and
- foster technology innovation in academic institutions around the world to foster privacy and public safety, as well as privacy and business interests, such as big data and data analytics, without sacrificing either privacy or security. [Source]
Google and Facebook-owned third parties are among the top-used on the Internet’s most-viewed sites, a new study from the Princeton Web Census shows. “Google owns seven of the 10 most loaded third-party domains,” the report states, adding Google Analytics was by far the most popular. “The remaining three are all owned by Facebook.” While the study found the amount of third parties a typical Internet user would engage with is “relatively small,” new websites are among those with the highest number of trackers. “Since many of these sites provide articles for free and lack an external funding source [these sites] are pressured to monetize page views with significantly more advertising,” the study states. [Full Story]
US – National Institute of Justice to Review Body Worn Cameras, Seeks Input
The National Institute of Justice (“NIJ”) is soliciting information in support of the upcoming National Criminal Justice Technology Research, Test, and Evaluation Center (NIJ RT&E Center) “Market Survey of Body Worn Camera (BWC) Technologies”; input is due May 31, 2016. [Source]
MIT and Oxford University researchers say with just eight tweets, “a relatively low-tech snooper” can deduce a user’s whereabouts using location stamps. A paper presented by researchers Ilaria Liccardi, Alfie Abdul-Rahman and Min Chen at a recent conference says while Twitter’s location notation is opt-in, many users reportedly engage the services. “With this study, what we wanted to show is that when you send location data as a secondary piece of information, it is extremely simple for people with very little technical knowledge to find out where you work or live,” Liccardi said. Their work was a part of MIT’s Internet Policy Research Initiative, a program geared toward increasing social media privacy awareness. [MIT News]
Nearly 70,000 OkCupid users had their data published by researchers, including their usernames, location, sexual turn-ons and sexual orientation. Two Danish researchers, Emil O. W. Kirkegaard and Julius D. Bjerrekær, collected the data from the dating website using a scraper, a tool saving certain segments of a Web page. The scraper targeted random profiles who had answered numerous OkCupid multiple-choice questions. While the researchers’ actions were legal, criticism has been levied at the project. Scott B. Weingart, digital humanities specialist at Carnegie Mellon University, said in a tweet he could use the information to re-identify the actual identities of OkCupid users. Weingart claimed he could with 90 percent accuracy connect sexual preferences and histories to real names of over 10,000 of the OkCupid users. [MotherBoard]
When you sign up for a dating website, you are making your information available for other users to see. But does that mean your information is “public”? Experts are now mulling this question after a group of researchers released a data set of nearly 70,000 users from the online dating site OkCupid. The researchers used a “scraper,” or a browser extension designed to collect data from web pages, to collect the data. In other words, they collected the data without OkCupid’s permission, breaking the site’s terms of usage and the Computer Fraud and Abuse Act. The data was uploaded on Open Science Framework, an online forum that encourages researchers to share data for easy collaborations, but it has since been removed. The scraped data revealed many user details including name, age, gender, religion, and detailed information about users’ habits and preferences. When asked whether the researchers took measures to anonymize the data, Mr. Kirkegaard, the lead researcher responded, “No. Data is already public… All the data found in the dataset are or were already publicly available, so releasing this dataset merely presents it in a more useful form.” But even if the data is available to other users, should it be shared publicly? Some experts don’t think so. While OkCupid lets registered users view profiles of other users on the site, that doesn’t justify anyone releasing this information to the public, they say. In this case, the researchers breached the ethics of Social Science Research, which requires researchers to obtain consent from subjects as well as ensure that researchers are maintaining confidentiality before they can publicly share personal information. The OkCupid profiles include very personal information on everything from political views to sexual habits. OkCupid asks its users hundreds of questions to help its algorithm generate better matches. Though the researchers didn’t release real names with the data, just profile user names, that is not considered maintaining confidentiality, say experts. One Twitter user claimed that he could link some bits of data to actual names of more than 10,000 users on OkCupid. [The Christian Science Monitor] See also: [OkCupid Study Reveals the Perils of Big-Data Science]
Deloitte published its annual privacy index 10 May, which found that of 88 brands’ apps, from various industries in Australia, 16% accessed users’ phone data without notifying them. The surveyed brands were not named, although Deloitte’s Tommy Viljoenhen called them among “the most trusted.” He added, “What’s happening with the brands we don’t know about? As consumers, are we even aware of the extent to which information is being collected without our knowledge?” [Mashable]
A new report details how schools are “soft targets” for companies looking to obtain data and market to children. “Learning to be Watched: Surveillance Culture at School,” from the National Center for Education Policy at the University of Colorado at Boulder, discusses how student privacy has been compromised by organizations creating relationships with schools, often through free technology. The report also discusses how laws created to protect student privacy, including the Children’s Online Privacy Protection Act, have major weaknesses. “Schools have proven to be a soft target for data gathering and marketing. Not only are they eager to adopt technology that promises better learning, but their lack of resources makes them susceptible to offers of free technology, free programs and activities, free educational materials, and help with fundraising,” the report said. [The Washington Post]
US – SCOTUS on Spokeo: Life Just Got Harder for Class-Action Lawyers As Court Rejects ‘No-Injury’ Cases
Plaintiff lawyers who have built a lucrative business over the past few decades suing companies over minor legal breaches that arguably harmed no one may have a tougher time bringing cases following the U.S. Supreme Court’s decision in Spokeo v. Robins, requiring plaintiffs to plead a “concrete” injury to proceed in federal court. The decision wasn’t a complete win for corporate defendants as the court left plenty of room for creative lawyers to craft complaints that allege their clients suffered an injury, no matter how small, from miscues like data breaches or incorrectly worded mortgage documents. But by stating clearly that some injury is required under Article III of the Constitution, the court may have ended the long-profitable business of suing companies over nothing more than statutory damages provided under laws like the anti-robocalling Telephone Consumer Protection Act. Spokeo was sued by Thomas Robins, who claimed the online information site inflated his education credentials and made other errors that may have caused him to have a harder time finding a job. I say “may have,” since it is extremely unlikely any potential employers actually looked at his entry on Spokeo and Robins didn’t provide any evidence supporting the idea he was harmed. [Forbes] See also: [Brace for more class action challenges post-Spokeo]
The Electronic Frontier Foundation released its 2015 annual report, covering all of the work the organization has achieved during the past year. The group celebrated more than 500,000 installations of its Privacy Badger browser extension and the two-millionth certificate of its Let’s Encrypt service. The EFF also touted major activism and law efforts it has completed in the past year. “We fight to make sure people have access to the speech platforms and privacy tools that help them take control of their world,” said EFF Executive Director Cindy Cohn, adding, “Based in part on our near decade of activism and legal work, Congress also passed the USA Freedom Act, the first real restrictions and oversight imposed on the NSA’s surveillance powers since 1978.” [Full Story]
US – Other Privacy News
- Sen. Ron Wyden, D.-Ore. will debut a bill this week that would undo the recent decision by the Supreme Court to allow judges to issue hacking warrants outside their respective jurisdictions.
- Section 702 of the FISA Amendments Act is set to expire next year sparking debate on Capitol Hill. The provision allows the government to obtain electronic communications of foreigners located outside of the country.
- The FTC has published new guidance to assist employment background checking agencies with Fair Credit Reporting Act compliance, the agency announced in a statement.
- The U.S. Department of Education cited FERPA in a letter alerting school districts to follow federal law allowing students to use bathrooms and locker rooms “consistent with their gender identity.”
- The chair of the Securities and Exchange Commission argued the proposed Email Privacy Act as currently drafted would deliver a major blow to the SEC’s ability to catch criminals.
- A Wisconsin state appeals court has ruled that the Driver’s Privacy Protection Act doesn’t require law enforcement agencies looking to comply with open records laws to redact names from accident reports.
Acronis has announced a new strategic initiative to develop applications of Blockchain technology for data protection. The company announced the initiative at its 2016 VIP Partner Summit held in Singapore this week. Acronis is taking a unique and targeted approach at how Blockchain can be used to solve specific data protection problems by seeking and developing use cases that exist today. Data and transactions that are protected from tampering by Blockchain can be used for those use cases where individuals or businesses absolutely must maintain the integrity of the original information. [Source] See also: [IBM Touts Blockchain to National Cyber Security Commission]
44% of companies do not think it should be compulsory for staff to be trained around data security, even though they have formal data protection processes in place. This is despite the security firm finding more than 22% of IT professionals have shared confidential information using an unsecure file sharing platform such as Google Drive, OneDrive or Dropbox, while 10% said they have shared data with people outside the company. Employees are also no strangers to data loss. 13% of the 2,000 IT professionals questioned admitted they have lost data while at work and 5% said they have experienced a data breach. Egnyte also explained that 14% of staff had opened an unsecure link that had been sent to their work email and 12% had used a public Wi-Fi network to work on confidential documents. “File sharing technology is sound from a security perspective… The root cause of mishaps is simply lack of awareness. With conscious effort to educate end users, enterprises can secure their data at little real cost. “Additional measures as simple as creating a checklist of content protection recommendations and making it readily available to employees, or integrating content management best practices into onboarding, can move the needle.” [Source]
Stakeholders taking part in the National Telecommunications & Information Administration Multi-Stakeholder process have agreed to a set of best practices for drones. The practices are designed to provide flexibility for drone use, especially for smaller operators, while providing strong privacy standards. Groups agreeing to the practices include Amazon, the Software & Information Industry Association, and the Consumer Technology Association. “These standards will help ensure these technologies are deployed with privacy in mind,” said Future of Privacy Forum CEO Jules Polonetsky,. In a blog post, Center for Democracy & Technology Vice President of Policy Chris Calabrese said, “As the nascent drone industry is starting to take-off, adopting these best practices will help ensure that drones fly safely, ethically and respectfully.” [FPF]
The Center for Democracy & Technology joined forces with Fitbit to release a report detailing the best privacy practices for research and development teams working in wearable technologies. Together with Fitbit, the CDT conducted interviews, surveys and other research to assess industry trends and best practices. “R&D teams in wearable technology can and should also be laboratories of privacy and ethical research best practices,” wrote CDT and Fitbit. The paper also offers “practical guidance on privacy-protective and ethical internal research procedures at wearable technology companies,” they add. Other key takeaways include the need for a culture of privacy, security and ethics in R&D, successful management of many different forms of trust with consumers, and the need for policies and procedures for handling ethical questions on R&D teams. [Full Story]
Tracking apps can be useful in a variety of ways, such as, letting consenting spouses know each other’s locations. However, location data from mobile devices can be highly personal …”GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location. Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking. [Experts the GAO interviewed] also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking,” the GAO stated. [Network World]
- The Senate Judiciary Committee is expected this week to mark up a companion measure to the House bill updating the Email Privacy Act.
- Passcode reports on the trend of federal and state lawmakers restricting the ability of law enforcement to surveil cellphone use.
- The Louisiana House has voted down a Senate-approved proposal allowing law enforcement to automatically scan license plates.
- The Vermont legislature has passed a bill that would significantly restrict police surveillance abilities. It would require police to get a warrant to use stingray devices to track phones and restrict police drone use, among other things, reports Tenth Amendment Center. The bill awaits the governor’s signature.
The FTC has published new guidance to assist employment background checking agencies with Fair Credit Reporting Act compliance, the agency announced in a statement. The guidance is primarily concerned with showing companies what work would qualify them as a consumer reporting agency and, given that, what their legal obligations may be. [FTC]
Director of National Intelligence James Clapper released a policy May 13 that confirms federal agencies will begin using public information from social media sites when looking at security clearance applications. Information the government finds irrelevant will be deleted from their servers, the report states. Some lawmakers expressed concern. “How do we flag the serious from the trivia?” asked Rep. Gerry Connolly, D-Va. “How do we make sure we don’t have some enormous depository of government information” that is held? [The Washington Post]
“Companies that monitor their employees’ emails or Internet activity now have new protections from potential allegations of wiretap violations: Under the Cybersecurity Act of 2015, companies enjoy liability protection for the monitoring of their information systems for ‘cybersecurity purposes.’” “The act’s inclusion of liability protections for cybersecurity activities to safeguard theconfidentiality of information suggests that monitoring in order to protect trade secrets and intellectual property could receive liability relief in addition to monitoring for general network security.” [Full Story]
A Court of Queen’s Bench judge has quashed a 2014 arbitration panel ruling that determined the proposed testing plan would violate the privacy of union workers represented by Unifor. Justice Blair Nixon said the panel should have considered evidence about alcohol and drug incidents involving all workers at Suncor, including non-union contract employees. “By focusing only on the bargaining unit, the majority (of the panel) expressly excluded consideration of relevant evidence,” Nixon wrote. “The majority ignored evidence pertaining to some two-thirds of the individuals working in the oilsands operation.” [Source]